Overview
This article explains the procedure for customers federating Microsoft 365 with Access Control to remove the federation between Access Control and Microsoft 365, so that Access Control no longer intervenes in Microsoft 365 logins.
Additionally, if you are synchronizing users between Access Control and Microsoft 365, this procedure describes how to delete the settings to stop synchronization.
Notes
- The content of this article is based on product specifications as of July 2026 and may change without notice.
- After performing this procedure, it may take some time for the federation removal to complete. The estimated time for removal is about 30 minutes to 1 hour.
- After removing the federation, please perform a Microsoft 365 password reset. If you are synchronizing passwords from Active Directory to Microsoft 365 using Microsoft’s synchronization tool, this step is not necessary.
- After removing the federation, please log in from the Microsoft 365 login page.
- Please uninstall the Secure Browser app and device certificates from each user's device. Even if they remain, they will not affect the device, but continued use will not be possible.
- Global admin privileges for both Microsoft 365 and Access Control are required to perform periodic synchronization or remove federation.
Table of Contents
- Removing Federation
- Deleting Synchronization Service
- Deletion of HENNGE Custom Domain
- Microsoft 365 Password Reset
- Deleting Enterprise Applications
- Removing Other SSO Services
Procedure
Removing Federation
-
From the Access Control admin console, go to [System] – [Connected Services].
-
From the list of services, select the row where the "Display Name" is [Microsoft] and the "Type" is [Microsoft]. If this item does not exist, proceed to Removing Federation (PowerShell).
-
Select [Federated Domains] – [Manage Domains].
- If the [Requested Permissions] screen for Microsoft 365 appears, check [Consent on behalf of your organization] and click [Accept]. If authentication is already complete, select the user to proceed to the next screen.
- On the [Domain Management] screen, check the status of the domain to be removed from federation and follow the corresponding procedure.
- If the status is [Federated] (old procedure), proceed from step 6.
-
If the status is [Federated], proceed from step 8.
-
Click [Upgrade] for the target domain.
-
On the confirmation screen, review the details and click [Upgrade]. Confirm that the status changes to [Federated].
-
Click [Remove] for the target domain.
-
On the confirmation screen, review the details and click [Remove Domain]. Confirm that the status changes to [Not Federated].
- If there are multiple domains to remove from federation, repeat this procedure for each domain.
- Once federation removal is complete for all domains, proceed to Deleting Synchronization Service.
Removing Federation (PowerShell)
* If you are already federating with another IdP service, do not perform this procedure.
- Make sure the Microsoft Graph PowerShell SDK module is installed in PowerShell. Complete the steps in the following article in advance.
Installing Microsoft Graph PowerShell SDK -
Launch PowerShell and run the following command:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop - When the login dialog appears, sign in with an account that has Microsoft 365 global admin privileges.
-
Run the following command to check domain information. Confirm that the "AuthenticationType" for the domain in use is "Federated".
Get-MgDomain -
Run the following command to remove federation. Immediately after removal, it may take some time for the settings to be reflected within Microsoft 365, and single sign-on behavior may still occur.
Update-MgDomain -DomainId [Your Domain] -AuthenticationType "Managed" -
Run the following command to check domain information. Confirm that the "AuthenticationType" for the domain removed in step 5 is now "Managed".
Get-MgDomain -
Run the following command to disconnect from Microsoft Graph.
Disconnect-MgGraph - Proceed to Deleting Synchronization Service.
Deleting Synchronization Service
If you are performing periodic synchronization between Access Control and Microsoft 365
- Stop periodic synchronization between Access Control and Microsoft 365. For details, refer to the following article.
How to Stop Periodic Synchronization with Microsoft 365 in Access Control
If you are synchronizing between Active Directory and Access Control
On the Windows server where the HENNGE One synchronization service is installed, perform the following steps.
- Uninstall HENNGE One Directory Sync. From [Control Panel] – [Programs and Features], uninstall the following program:
HENNGE One Directory Sync x.x.x - Delete files related to HENNGE One Directory Sync. Manually delete the "C:\Program Files\HENNGE One Directory Sync" folder and all files directly under it.
- Delete files under the HDEOne folder. If the "C:\HDEOne" folder exists, manually delete that folder and all files directly under it.
-
Uninstall HDEPasswordFilter.dll. Launch PowerShell as an administrator and run the following PowerShell commands.
Example command to move to the folder where the installer is stored
cd <Path to Installer_HDEOnePasswordSync folder>Uninstall HDEPasswordFilter.dll
powershell -ExecutionPolicy Bypass -File .\uninstall.ps1Reference (installation procedure): [Access Control] Installing HDEPasswordFilter.dll on All Domain Controllers (WS 2016 and later)
Deletion of HENNGE Custom Domain
If you have created and been operating a subdomain (xxxx.myhennge.com) in Access Control, please follow the steps below to delete the custom domain.
[HENNGE One Launcher] How to Delete Custom Domains
Microsoft 365 Password Reset
This section explains how to perform a bulk password reset in Microsoft 365.
* If you are synchronizing passwords from Active Directory to Microsoft 365, this step is not necessary.
* Be sure to run each command as a single line.
To perform this procedure, the Microsoft Graph PowerShell SDK module must be installed in PowerShell. Please ensure you have completed the steps in the following article in advance.
Installing Microsoft Graph PowerShell SDK
- Create a "temp" folder directly under the C drive. On your working PC, create a "temp" folder directly under the C drive.
-
Log in with Microsoft Graph PowerShell. Run the following command in PowerShell:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction StopWhen the login dialog appears, continue signing in with an account that has Microsoft 365 global admin privileges.
- Obtain a list of users. Run the following command to output a list of users, excluding those whose User Principal Name ends with "*.onmicrosoft.com".
Get-MgUser -All | where { -not ($_.userprincipalname-like"*.onmicrosoft.com")} | select UserPrincipalName | Export-Csv c:\temp\volunteers.csv -NoTypeInformation- Manually remove account information such as meeting rooms from the user list CSV. In the CSV file in the "c:\temp" folder (volunteers.csv), manually delete account information for meeting rooms and other accounts that are not subject to password changes.
- Change passwords in bulk. Run the following commands one line at a time.
$params = @{
PasswordProfile = @{
ForceChangePasswordNextSignIn = $True
Password = "XXXXXXXX"
}
}
Import-Csv c:\temp\volunteers.csv | where{Get-MgUser -UserID $_.UserPrincipalName; Update-MgUser -UserID $_.UserPrincipalName -BodyParameter $params }Each user will be required to change their password after logging in to Microsoft 365. All users will have the same password. Please replace "XXXXXXXX" in the above command with your initial login password string.
Password requirements: Azure AD password policy (external link)
Depending on the authentication cache retention specification of Microsoft 365, authentication dialogs may not appear immediately in client applications such as Outlook.
- Disconnect from Microsoft Graph. Run the following command to disconnect from Microsoft Graph.
Disconnect-MgGraphWith the [Connect-MgGraph] command, previously authenticated credentials are retained and you will not be prompted to sign in the next time you start. To ensure you are signed out, please run [Disconnect-MgGraph].
Deleting Enterprise Applications
Access the Microsoft 365 admin center.
From the left menu, click [ID] to access the Microsoft Entra admin center.
Open [Entra ID] – [Enterprise Applications].
From the list of applications displayed on the right, click "HENNGE Access Control Federation Configuration".
From the left menu, click [Manage] – [Properties].
At the top of the Properties screen, select [Delete], then click [Yes] to confirm.
Removing Other SSO Services
If you have services other than Microsoft 365 that are using single sign-on (SSO) with Access Control, please perform the SSO removal procedure for those services as well. You can check the targets in the [Connected Services] section of the Access Control admin console. SSO removal must be performed on the connected service provider (SP) side. For detailed removal instructions, please contact the support desk of each SP.
This completes the settings.
Once you have finished the procedure, please contact HENNGE One Technical Support.